mirror of
https://gitlab.freedesktop.org/mesa/mesa.git
synced 2026-05-16 18:28:05 +02:00
65fcdf4c81
Either we need to save this pointer or toss it.
==146166==ERROR: AddressSanitizer: heap-use-after-free on address 0x7bfe77013920 at pc 0x7b9e6fd5b978 bp 0x7ffc30ef18e0 sp 0x7ffc30ef18d8
READ of size 4 at 0x7bfe77013920 thread T0
#0 0x7b9e6fd5b977 in get_header ../src/util/ralloc.c:83
#1 0x7b9e6fd5b977 in ralloc_parent ../src/util/ralloc.c:382
#2 0x7b9e6fd5b977 in reralloc_size ../src/util/ralloc.c:198
#3 0x7b9e6fd5b977 in reralloc_array_size ../src/util/ralloc.c:241
#4 0x7b9e705f83c2 in range_minimum_query_table_resize ../src/util/range_minimum_query.c:21
#5 0x7b9e7018af1d in realloc_info ../src/compiler/nir/nir_dominance_lca.c:33
#6 0x7b9e7018af1d in nir_calc_dominance_lca_impl ../src/compiler/nir/nir_dominance_lca.c:126
#7 0x7b9e6ff9815c in nir_metadata_require ../src/compiler/nir/nir_metadata.c:42
#8 0x7b9e6ff998e4 in nir_metadata_require_most ../src/compiler/nir/nir_metadata.c:200
#9 0x7b9e6f8aab4d in st_finalize_nir ../src/mesa/state_tracker/st_glsl_to_nir.cpp:735
#10 0x7b9e6f0afb14 in st_create_common_variant ../src/mesa/state_tracker/st_program.c:858
#11 0x7b9e6f0be2d3 in st_get_common_variant ../src/mesa/state_tracker/st_program.c:973
#12 0x7b9e6f0bf9cf in st_precompile_shader_variant ../src/mesa/state_tracker/st_program.c:1478
#13 0x7b9e6f0bf9cf in st_finalize_program ../src/mesa/state_tracker/st_program.c:1596
#14 0x7b9e6f8b0127 in st_link_glsl_to_nir ../src/mesa/state_tracker/st_glsl_to_nir.cpp:633
#15 0x7b9e6f8b3611 in st_link_shader ../src/mesa/state_tracker/st_glsl_to_nir.cpp:816
#16 0x7b9e6f7bcf51 in link_program ../src/mesa/main/shaderapi.c:1412
#17 0x7b9e6f7bcf51 in link_program_error ../src/mesa/main/shaderapi.c:1474
#18 0x0000004020b0 in main._omp_fn.0 /home/alyssa/shader-db/run.c:872
#19 0x7f9e7893dd65 in GOMP_parallel (/lib64/libgomp.so.1+0xdd65) (BuildId: 9cc501fdca53b5d4ab094f709486781c98573bc9)
#20 0x000000400d6a in main /home/alyssa/shader-db/run.c:689
#21 0x7f9e78011574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#22 0x7f9e78011627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#23 0x000000401014 in _start (/home/alyssa/shader-db/run+0x401014) (BuildId: a83b8d830cc265be3f54ea3e7a21a0fb5156624b)
0x7bfe77013920 is located 0 bytes inside of 64-byte region [0x7bfe77013920,0x7bfe77013960)
freed by thread T0 here:
#0 0x7f9e782e5beb in free.part.0 (/usr/lib64/libasan.so.8+0xe5beb) (BuildId: cab80046dbc1c97c6e14490acc37d079701f8d9a)
#1 0x7b9e6fd5bc39 in unsafe_free ../src/util/ralloc.c:319
#2 0x7b9e6fd5bc39 in ralloc_free ../src/util/ralloc.c:264
#3 0x7b9e70063d81 in nir_sweep ../src/compiler/nir/nir_sweep.c:219
#4 0x7b9e6f0bf499 in st_finalize_program ../src/mesa/state_tracker/st_program.c:1585
#5 0x7b9e6f8b0127 in st_link_glsl_to_nir ../src/mesa/state_tracker/st_glsl_to_nir.cpp:633
#6 0x7b9e6f8b3611 in st_link_shader ../src/mesa/state_tracker/st_glsl_to_nir.cpp:816
#7 0x7b9e6f7bcf51 in link_program ../src/mesa/main/shaderapi.c:1412
#8 0x7b9e6f7bcf51 in link_program_error ../src/mesa/main/shaderapi.c:1474
#9 0x0000004020b0 in main._omp_fn.0 /home/alyssa/shader-db/run.c:872
previously allocated by thread T0 here:
#0 0x7f9e782e5e4b in realloc.part.0 (/usr/lib64/libasan.so.8+0xe5e4b) (BuildId: cab80046dbc1c97c6e14490acc37d079701f8d9a)
#1 0x7b9e6fd5a883 in resize ../src/util/ralloc.c:167
#2 0x7b9e705f83c2 in range_minimum_query_table_resize ../src/util/range_minimum_query.c:21
#3 0x7b9e7018af1d in realloc_info ../src/compiler/nir/nir_dominance_lca.c:33
#4 0x7b9e7018af1d in nir_calc_dominance_lca_impl ../src/compiler/nir/nir_dominance_lca.c:126
#5 0x7b9e6ff9815c in nir_metadata_require ../src/compiler/nir/nir_metadata.c:42
#6 0x7b9e6ff998e4 in nir_metadata_require_most ../src/compiler/nir/nir_metadata.c:200
#7 0x7b9e6f8b0ede in st_link_glsl_to_nir ../src/mesa/state_tracker/st_glsl_to_nir.cpp:550
#8 0x7b9e6f8b3611 in st_link_shader ../src/mesa/state_tracker/st_glsl_to_nir.cpp:816
#9 0x7b9e6f7bcf51 in link_program ../src/mesa/main/shaderapi.c:1412
#10 0x7b9e6f7bcf51 in link_program_error ../src/mesa/main/shaderapi.c:1474
#11 0x0000004020b0 in main._omp_fn.0 /home/alyssa/shader-db/run.c:872
Fixes: 17876a00af ("nir: Add a faster lowest common ancestor algorithm")
Signed-off-by: Alyssa Rosenzweig <alyssa.rosenzweig@intel.com>
Reviewed-by: Mel Henning <mhenning@darkrefraction.com>
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/38412>
226 lines
6.4 KiB
C
226 lines
6.4 KiB
C
/*
|
|
* Copyright © 2015 Intel Corporation
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the "Software"),
|
|
* to deal in the Software without restriction, including without limitation
|
|
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
* and/or sell copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice (including the next
|
|
* paragraph) shall be included in all copies or substantial portions of the
|
|
* Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
* IN THE SOFTWARE.
|
|
*/
|
|
|
|
#include "util/u_printf.h"
|
|
#include "nir.h"
|
|
|
|
/**
|
|
* \file nir_sweep.c
|
|
*
|
|
* The nir_sweep() pass performs a mark and sweep pass over a nir_shader's associated
|
|
* memory - anything still connected to the program will be kept, and any dead memory
|
|
* we dropped on the floor will be freed.
|
|
*
|
|
* The expectation is that drivers should call this when finished compiling the shader
|
|
* (after any optimization, lowering, and so on). However, it's also fine to call it
|
|
* earlier, and even many times, trading CPU cycles for memory savings.
|
|
*/
|
|
|
|
static void
|
|
sweep_constant(nir_shader *nir, nir_constant *c)
|
|
{
|
|
ralloc_steal(nir, c);
|
|
|
|
if (c->num_elements) {
|
|
assert(c->elements);
|
|
ralloc_steal(nir, c->elements);
|
|
for (unsigned i = 0; i < c->num_elements; i++)
|
|
sweep_constant(nir, c->elements[i]);
|
|
} else {
|
|
assert(!c->elements);
|
|
}
|
|
}
|
|
|
|
static void
|
|
sweep_variable(nir_shader *nir, nir_variable *var)
|
|
{
|
|
gc_mark_live(nir->gctx, var);
|
|
nir_variable_steal_name(nir, var, var);
|
|
ralloc_steal(nir, var->max_ifc_array_access);
|
|
ralloc_steal(nir, var->state_slots);
|
|
if (var->constant_initializer)
|
|
sweep_constant(nir, var->constant_initializer);
|
|
if (var->pointer_initializer)
|
|
sweep_variable(nir, var->pointer_initializer);
|
|
ralloc_steal(nir, var->members);
|
|
}
|
|
|
|
static void
|
|
sweep_var_list(nir_shader *nir, struct exec_list *list)
|
|
{
|
|
foreach_list_typed(nir_variable, var, node, list) {
|
|
sweep_variable(nir, var);
|
|
}
|
|
}
|
|
|
|
static void sweep_cf_node(nir_shader *nir, nir_cf_node *cf_node);
|
|
|
|
static void
|
|
sweep_block(nir_shader *nir, nir_block *block)
|
|
{
|
|
ralloc_steal(nir, block);
|
|
|
|
nir_foreach_instr(instr, block) {
|
|
gc_mark_live(nir->gctx, nir_instr_get_gc_pointer(instr));
|
|
|
|
if (instr->has_debug_info) {
|
|
nir_instr_debug_info *debug_info = nir_instr_get_debug_info(instr);
|
|
ralloc_steal(nir, debug_info->filename);
|
|
ralloc_steal(nir, debug_info->variable_name);
|
|
}
|
|
|
|
switch (instr->type) {
|
|
case nir_instr_type_tex:
|
|
gc_mark_live(nir->gctx, nir_instr_as_tex(instr)->src);
|
|
break;
|
|
case nir_instr_type_phi:
|
|
nir_foreach_phi_src(src, nir_instr_as_phi(instr))
|
|
gc_mark_live(nir->gctx, src);
|
|
break;
|
|
case nir_instr_type_intrinsic:
|
|
ralloc_steal(nir, (void *)nir_instr_as_intrinsic(instr)->name);
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
static void
|
|
sweep_if(nir_shader *nir, nir_if *iff)
|
|
{
|
|
ralloc_steal(nir, iff);
|
|
|
|
foreach_list_typed(nir_cf_node, cf_node, node, &iff->then_list) {
|
|
sweep_cf_node(nir, cf_node);
|
|
}
|
|
|
|
foreach_list_typed(nir_cf_node, cf_node, node, &iff->else_list) {
|
|
sweep_cf_node(nir, cf_node);
|
|
}
|
|
}
|
|
|
|
static void
|
|
sweep_loop(nir_shader *nir, nir_loop *loop)
|
|
{
|
|
assert(!nir_loop_has_continue_construct(loop));
|
|
ralloc_steal(nir, loop);
|
|
|
|
foreach_list_typed(nir_cf_node, cf_node, node, &loop->body) {
|
|
sweep_cf_node(nir, cf_node);
|
|
}
|
|
}
|
|
|
|
static void
|
|
sweep_cf_node(nir_shader *nir, nir_cf_node *cf_node)
|
|
{
|
|
switch (cf_node->type) {
|
|
case nir_cf_node_block:
|
|
sweep_block(nir, nir_cf_node_as_block(cf_node));
|
|
break;
|
|
case nir_cf_node_if:
|
|
sweep_if(nir, nir_cf_node_as_if(cf_node));
|
|
break;
|
|
case nir_cf_node_loop:
|
|
sweep_loop(nir, nir_cf_node_as_loop(cf_node));
|
|
break;
|
|
default:
|
|
UNREACHABLE("Invalid CF node type");
|
|
}
|
|
}
|
|
|
|
static void
|
|
sweep_impl(nir_shader *nir, nir_function_impl *impl)
|
|
{
|
|
ralloc_steal(nir, impl);
|
|
|
|
sweep_var_list(nir, &impl->locals);
|
|
|
|
foreach_list_typed(nir_cf_node, cf_node, node, &impl->body) {
|
|
sweep_cf_node(nir, cf_node);
|
|
}
|
|
|
|
sweep_block(nir, impl->end_block);
|
|
|
|
/* Wipe out all the metadata, if any. */
|
|
nir_progress(true, impl, nir_metadata_none);
|
|
|
|
/* These will be reallocated if needed. NULL them out so we don't
|
|
* use-after-free later.
|
|
*/
|
|
impl->dom_lca_info.table.table = NULL;
|
|
impl->dom_lca_info.block_from_idx = NULL;
|
|
}
|
|
|
|
static void
|
|
sweep_function(nir_shader *nir, nir_function *f)
|
|
{
|
|
ralloc_steal(nir, f);
|
|
ralloc_steal(nir, f->params);
|
|
|
|
for (unsigned i = 0; i < f->num_params; i++)
|
|
ralloc_steal(nir, (char *)f->params[i].name);
|
|
|
|
if (f->impl)
|
|
sweep_impl(nir, f->impl);
|
|
}
|
|
|
|
void
|
|
nir_sweep(nir_shader *nir)
|
|
{
|
|
void *rubbish = ralloc_context(NULL);
|
|
|
|
struct list_head instr_gc_list;
|
|
list_inithead(&instr_gc_list);
|
|
|
|
/* First, move ownership of all the memory to a temporary context; assume dead. */
|
|
ralloc_adopt(rubbish, nir);
|
|
|
|
/* Start sweeping */
|
|
gc_sweep_start(nir->gctx);
|
|
|
|
ralloc_steal(nir, nir->gctx);
|
|
ralloc_steal(nir, (char *)nir->info.name);
|
|
if (nir->info.label)
|
|
ralloc_steal(nir, (char *)nir->info.label);
|
|
|
|
/* Variables are not dead. Steal them back. */
|
|
sweep_var_list(nir, &nir->variables);
|
|
|
|
/* Recurse into functions, stealing their contents back. */
|
|
foreach_list_typed(nir_function, func, node, &nir->functions) {
|
|
sweep_function(nir, func);
|
|
}
|
|
|
|
ralloc_steal(nir, nir->constant_data);
|
|
ralloc_steal(nir, nir->xfb_info);
|
|
ralloc_steal(nir, nir->printf_info);
|
|
for (int i = 0; i < nir->printf_info_count; i++) {
|
|
ralloc_steal(nir, nir->printf_info[i].arg_sizes);
|
|
ralloc_steal(nir, nir->printf_info[i].strings);
|
|
}
|
|
|
|
/* Free everything we didn't steal back. */
|
|
gc_sweep_end(nir->gctx);
|
|
ralloc_free(rubbish);
|
|
}
|